Does it really help? Not a concern troll, just curious. Do they check code like Play Store's verified?

They certainly don't review code, but on those there must be at least a scan for the most obvious malicious stuff. I am not sure it'd detect something hidden like in the article though. After all even on the guy's PC it was only detected once it tried to actually download stuff. The good thing about workshop is visibility, if someone notices something shady it'll be known fast. Not perfect, but probably better than getting your mods from random sites nobody knows.

Another thing I think about sometimes is how games can be malicious too. The trend in PC gaming for a while now is "flavor of the month" where every couple months a huge breakout title comes out and everyone plays it for a few weeks. The expectation from these games is that they run like shit despite being a fifth as graphically complex as a bigger budget game. What stops them from slipping a coin miner in for half a day at the peak of their popularity? Schedule 1 for example. I love this game and I'm not accusing them of anything, just an example. Let's be honest. It runs at 100fps when it could run at 1000fps. Say the dev finally optimizes it, pushes the optimizations and a coin miner in a hotfix patch with no patch notes post on Steam. Six hours later the dev removes the coin miner and pushes that as a major patch with a patch notes release calling it the "optimization update" or something. We'd be none the wiser. Don't take this as me saying not to support indie titles but it's a little weird that millions of people install untrusted closed source code from 1-3 devs all at the same time every couple months.

Why would it be in-game or a steam announcement? The malware was in a mod, not the base game. Mod authors can't post game announcements. So, at best you get a comment of the workshop or on nexus.

It could happen, but especially if the game has at least some popularity on a platform like Steam I expect someone more tech savvy than average would smell a rat and start looking, or ask around, and it'd be found out. I don't know exactly how those work, but I imagine on top of weird CPU usage it would make very suspicious network calls too. There's always a guy that sees stuff like that and goes "where the fuck are my cycles and packets going?"

Because it's supposed to reach affected users as quickly as possible, and a Steam/ingame announcement is the best way to do that? Slay The Spire made such an announcement when a popular mod was infected, and even though I didn't use that mod, I still appreciated the outreach and care. Why are you acting like it's such a crazy idea to use broad announcement channels to reach all affected users?

It's not a crazy idea. But it's also perfectly reasonable for the game publisher to not involve themselves with mods.

It's not reasonable when it means their users are possibly affected by this vulnerability without being informed. Even if it's mod stuff, they have a responsibility towards their customers - and it's not like it hurts them in any way.

Yeah you'd think, but when I worked in cybersecurity the thing that freaked me out the most is how often this just doesn't happen. It can happen immediately or it can take ages.

Because Beamng runs their own mod repository. This isnt about some random mod hosted on a randrom 3rd party site. This mod was released and distributed over servers and a services which Beamng as a company runs themselves. So reading a whole ass month after the incident my system and my passwords were potentially compromised fucking sucks. I'm not blaming them that the mod got uploaded. I'm blaming them that they made no attempts to publicly communicate: "yo, a mod containing malware got uploaded to our service and 3000 users downloaded it before we got informed that it was infected. If you happen to have downloaded the mod in x timeframe your system was likely compromised. Sorry yadda yadda"

Well, but they involve themselves with mods quite a bit: https://www.beamng.com/resources/

Outdated chromium........Like the steam overlay?

Or electron

Oh yeah. That too